diff --git a/docker-selinux.tgz b/docker-selinux.tgz index 02bfac3..35c2662 100644 Binary files a/docker-selinux.tgz and b/docker-selinux.tgz differ diff --git a/policy-rawhide-base.patch b/policy-rawhide-base.patch index b5bc472..1593fb5 100644 --- a/policy-rawhide-base.patch +++ b/policy-rawhide-base.patch @@ -1961,7 +1961,7 @@ index c6ca761..0c86bfd 100644 ') diff --git a/policy/modules/admin/netutils.te b/policy/modules/admin/netutils.te -index c44c359..5210ca5 100644 +index c44c359..ae484a0 100644 --- a/policy/modules/admin/netutils.te +++ b/policy/modules/admin/netutils.te @@ -7,10 +7,10 @@ policy_module(netutils, 1.12.1) @@ -2077,7 +2077,11 @@ index c44c359..5210ca5 100644 ifdef(`hide_broken_symptoms',` init_dontaudit_use_fds(ping_t) -@@ -149,11 +156,25 @@ ifdef(`hide_broken_symptoms',` +@@ -146,14 +153,29 @@ ifdef(`hide_broken_symptoms',` + optional_policy(` + nagios_dontaudit_rw_log(ping_t) + nagios_dontaudit_rw_pipes(ping_t) ++ nagios_dontaudit_write_pipes_nrpe(ping_t) ') ') @@ -2103,7 +2107,7 @@ index c44c359..5210ca5 100644 pcmcia_use_cardmgr_fds(ping_t) ') -@@ -161,6 +182,15 @@ optional_policy(` +@@ -161,6 +183,15 @@ optional_policy(` hotplug_use_fds(ping_t) ') @@ -2119,7 +2123,7 @@ index c44c359..5210ca5 100644 ######################################## # # Traceroute local policy -@@ -174,7 +204,6 @@ allow traceroute_t self:udp_socket create_socket_perms; +@@ -174,7 +205,6 @@ allow traceroute_t self:udp_socket create_socket_perms; kernel_read_system_state(traceroute_t) kernel_read_network_state(traceroute_t) @@ -2127,7 +2131,7 @@ index c44c359..5210ca5 100644 corenet_all_recvfrom_netlabel(traceroute_t) corenet_tcp_sendrecv_generic_if(traceroute_t) corenet_udp_sendrecv_generic_if(traceroute_t) -@@ -198,6 +227,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) +@@ -198,6 +228,7 @@ fs_dontaudit_getattr_xattr_fs(traceroute_t) domain_use_interactive_fds(traceroute_t) files_read_etc_files(traceroute_t) @@ -2135,7 +2139,7 @@ index c44c359..5210ca5 100644 files_dontaudit_search_var(traceroute_t) init_use_fds(traceroute_t) -@@ -206,11 +236,17 @@ auth_use_nsswitch(traceroute_t) +@@ -206,11 +237,17 @@ auth_use_nsswitch(traceroute_t) logging_send_syslog_msg(traceroute_t) @@ -9743,7 +9747,7 @@ index 76f285e..5cd2702 100644 + filetrans_pattern($1, device_t, xserver_misc_device_t, chr_file, "card9") +') diff --git a/policy/modules/kernel/devices.te b/policy/modules/kernel/devices.te -index 0b1a871..8d4003a 100644 +index 0b1a871..4cef59b 100644 --- a/policy/modules/kernel/devices.te +++ b/policy/modules/kernel/devices.te @@ -15,11 +15,12 @@ attribute devices_unconfined_type; @@ -9899,7 +9903,7 @@ index 0b1a871..8d4003a 100644 # Type for vmware devices. type vmware_device_t; -@@ -319,5 +371,6 @@ files_associate_tmp(device_node) +@@ -319,5 +371,8 @@ files_associate_tmp(device_node) # allow devices_unconfined_type self:capability sys_rawio; @@ -9908,6 +9912,8 @@ index 0b1a871..8d4003a 100644 +allow devices_unconfined_type device_node:{ blk_file lnk_file } *; +allow devices_unconfined_type device_node:{ file chr_file } ~{ execmod entrypoint }; +allow devices_unconfined_type mtrr_device_t:file ~{ execmod entrypoint }; ++dev_getattr_all(devices_unconfined_type) ++ diff --git a/policy/modules/kernel/domain.if b/policy/modules/kernel/domain.if index 6a1e4d1..26e5558 100644 --- a/policy/modules/kernel/domain.if @@ -17882,7 +17888,7 @@ index d7c11a0..6b3331d 100644 /var/run/shm/.* <> -') diff --git a/policy/modules/kernel/filesystem.if b/policy/modules/kernel/filesystem.if -index 8416beb..531dfef 100644 +index 8416beb..761fbab 100644 --- a/policy/modules/kernel/filesystem.if +++ b/policy/modules/kernel/filesystem.if @@ -631,6 +631,27 @@ interface(`fs_getattr_cgroup',` @@ -19654,16 +19660,11 @@ index 8416beb..531dfef 100644 ######################################## ## ## Mount a NFS filesystem. -@@ -2356,44 +3283,62 @@ interface(`fs_remount_nfs',` - type nfs_t; - ') +@@ -2361,39 +3288,57 @@ interface(`fs_remount_nfs',` -- allow $1 nfs_t:filesystem remount; -+ allow $1 nfs_t:filesystem remount; -+') -+ -+######################################## -+## + ######################################## + ## +-## Unmount a NFS filesystem. +## Unmount a NFS filesystem. +## +## @@ -19678,11 +19679,10 @@ index 8416beb..531dfef 100644 + ') + + allow $1 nfs_t:filesystem unmount; - ') - - ######################################## - ## --## Unmount a NFS filesystem. ++') ++ ++######################################## ++## +## Get the attributes of a NFS filesystem. ## ## @@ -20153,82 +20153,48 @@ index 8416beb..531dfef 100644 ## Get the attributes of a tmpfs ## filesystem. ## -@@ -3839,39 +5047,76 @@ interface(`fs_getattr_tmpfs',` - ## - ## - ## --## The type of the object to be associated. -+## The type of the object to be associated. -+## -+## -+# -+interface(`fs_associate_tmpfs',` -+ gen_require(` -+ type tmpfs_t; -+ ') -+ -+ allow $1 tmpfs_t:filesystem associate; +@@ -3866,12 +5074,49 @@ interface(`fs_relabelfrom_tmpfs',` + type tmpfs_t; + ') + +- allow $1 tmpfs_t:filesystem relabelfrom; ++ allow $1 tmpfs_t:filesystem relabelfrom; +') + +######################################## +## -+## Relabel from tmpfs filesystem. ++## Get the attributes of tmpfs directories. +## -+## ++## +## +## Domain allowed access. +## +## +# -+interface(`fs_relabelfrom_tmpfs',` ++interface(`fs_getattr_tmpfs_dirs',` + gen_require(` + type tmpfs_t; + ') + -+ allow $1 tmpfs_t:filesystem relabelfrom; ++ allow $1 tmpfs_t:dir getattr; +') + +######################################## +## -+## Get the attributes of tmpfs directories. -+## -+## -+## -+## Domain allowed access. - ## - ## - # --interface(`fs_associate_tmpfs',` -+interface(`fs_getattr_tmpfs_dirs',` - gen_require(` - type tmpfs_t; - ') - -- allow $1 tmpfs_t:filesystem associate; -+ allow $1 tmpfs_t:dir getattr; - ') - - ######################################## - ## --## Relabel from tmpfs filesystem. +## Do not audit attempts to get the attributes +## of tmpfs directories. - ## --## ++## +## - ## --## Domain allowed access. ++## +## Domain to not audit. - ## - ## - # --interface(`fs_relabelfrom_tmpfs',` ++## ++## ++# +interface(`fs_dontaudit_getattr_tmpfs_dirs',` - gen_require(` - type tmpfs_t; - ') - -- allow $1 tmpfs_t:filesystem relabelfrom; ++ gen_require(` ++ type tmpfs_t; ++ ') ++ + dontaudit $1 tmpfs_t:dir getattr; ') @@ -20658,7 +20624,7 @@ index 8416beb..531dfef 100644 ## Search all directories with a filesystem type. ## ## -@@ -4912,3 +6345,63 @@ interface(`fs_unconfined',` +@@ -4912,3 +6345,82 @@ interface(`fs_unconfined',` typeattribute $1 filesystem_unconfined_type; ') @@ -20722,8 +20688,27 @@ index 8416beb..531dfef 100644 + + read_files_pattern($1, efivarfs_t, efivarfs_t) +') ++ ++######################################## ++## ++## Read and write sockets of ONLOAD file system pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`fs_rw_onload_sockets',` ++ gen_require(` ++ type onload_fs_t; ++ ') ++ ++ rw_sock_files_pattern($1, onload_fs_t, onload_fs_t) ++') ++ diff --git a/policy/modules/kernel/filesystem.te b/policy/modules/kernel/filesystem.te -index e7d1738..fc52817 100644 +index e7d1738..59c1cb8 100644 --- a/policy/modules/kernel/filesystem.te +++ b/policy/modules/kernel/filesystem.te @@ -26,14 +26,19 @@ fs_use_xattr ext2 gen_context(system_u:object_r:fs_t,s0); @@ -20817,7 +20802,7 @@ index e7d1738..fc52817 100644 type mvfs_t; fs_noxattr_type(mvfs_t) allow mvfs_t self:filesystem associate; -@@ -118,13 +148,18 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) +@@ -118,13 +148,23 @@ genfscon mvfs / gen_context(system_u:object_r:mvfs_t,s0) type nfsd_fs_t; fs_type(nfsd_fs_t) @@ -20828,6 +20813,11 @@ index e7d1738..fc52817 100644 +fs_type(nsfs_t) +genfscon nsfs / gen_context(system_u:object_r:nsfs_t,s0) + ++type onload_fs_t; ++fs_type(onload_fs_t) ++files_mountpoint(onload_fs_t) ++genfscon onloadfs / gen_context(system_u:object_r:onload_fs_t,s0) ++ type oprofilefs_t; fs_type(oprofilefs_t) genfscon oprofilefs / gen_context(system_u:object_r:oprofilefs_t,s0) @@ -20837,7 +20827,7 @@ index e7d1738..fc52817 100644 fs_type(pstore_t) files_mountpoint(pstore_t) dev_associate_sysfs(pstore_t) -@@ -150,17 +185,16 @@ fs_type(spufs_t) +@@ -150,17 +190,16 @@ fs_type(spufs_t) genfscon spufs / gen_context(system_u:object_r:spufs_t,s0) files_mountpoint(spufs_t) @@ -20859,7 +20849,7 @@ index e7d1738..fc52817 100644 type vmblock_t; fs_noxattr_type(vmblock_t) files_mountpoint(vmblock_t) -@@ -172,6 +206,8 @@ type vxfs_t; +@@ -172,6 +211,8 @@ type vxfs_t; fs_noxattr_type(vxfs_t) files_mountpoint(vxfs_t) genfscon vxfs / gen_context(system_u:object_r:vxfs_t,s0) @@ -20868,7 +20858,7 @@ index e7d1738..fc52817 100644 # # tmpfs_t is the type for tmpfs filesystems -@@ -182,6 +218,8 @@ fs_type(tmpfs_t) +@@ -182,6 +223,8 @@ fs_type(tmpfs_t) files_type(tmpfs_t) files_mountpoint(tmpfs_t) files_poly_parent(tmpfs_t) @@ -20877,7 +20867,7 @@ index e7d1738..fc52817 100644 # Use a transition SID based on the allocating task SID and the # filesystem SID to label inodes in the following filesystem types, -@@ -261,6 +299,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) +@@ -261,6 +304,8 @@ genfscon udf / gen_context(system_u:object_r:iso9660_t,s0) type removable_t; allow removable_t noxattrfs:filesystem associate; fs_noxattr_type(removable_t) @@ -20886,7 +20876,7 @@ index e7d1738..fc52817 100644 files_mountpoint(removable_t) # -@@ -280,6 +320,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) +@@ -280,6 +325,7 @@ genfscon ncpfs / gen_context(system_u:object_r:nfs_t,s0) genfscon reiserfs / gen_context(system_u:object_r:nfs_t,s0) genfscon panfs / gen_context(system_u:object_r:nfs_t,s0) genfscon gadgetfs / gen_context(system_u:object_r:nfs_t,s0) @@ -20894,7 +20884,7 @@ index e7d1738..fc52817 100644 ######################################## # -@@ -301,9 +342,10 @@ fs_associate_noxattr(noxattrfs) +@@ -301,9 +347,10 @@ fs_associate_noxattr(noxattrfs) # Unconfined access to this module # @@ -22211,7 +22201,7 @@ index e100d88..1428581 100644 +') + diff --git a/policy/modules/kernel/kernel.te b/policy/modules/kernel/kernel.te -index 8dbab4c..092e065 100644 +index 8dbab4c..5b93205 100644 --- a/policy/modules/kernel/kernel.te +++ b/policy/modules/kernel/kernel.te @@ -25,6 +25,9 @@ attribute kern_unconfined; @@ -22516,7 +22506,7 @@ index 8dbab4c..092e065 100644 -allow kern_unconfined sysctl_type:{ dir file } *; +allow kern_unconfined sysctl_type:{ file } ~entrypoint; -+allow kern_unconfined sysctl_type:{ dir } *; ++allow kern_unconfined sysctl_type:{ dir lnk_file } *; allow kern_unconfined kernel_t:system *; @@ -45976,7 +45966,7 @@ index 2cea692..bf86a31 100644 + files_pid_filetrans($1, ifconfig_var_run_t, dir, "netns") +') diff --git a/policy/modules/system/sysnetwork.te b/policy/modules/system/sysnetwork.te -index a392fc4..78fa512 100644 +index a392fc4..155d5ce 100644 --- a/policy/modules/system/sysnetwork.te +++ b/policy/modules/system/sysnetwork.te @@ -5,6 +5,13 @@ policy_module(sysnetwork, 1.15.4) @@ -46210,7 +46200,7 @@ index a392fc4..78fa512 100644 vmware_append_log(dhcpc_t) ') -@@ -264,12 +313,25 @@ allow ifconfig_t self:msgq create_msgq_perms; +@@ -264,12 +313,26 @@ allow ifconfig_t self:msgq create_msgq_perms; allow ifconfig_t self:msg { send receive }; # Create UDP sockets, necessary when called from dhcpc allow ifconfig_t self:udp_socket create_socket_perms; @@ -46232,11 +46222,12 @@ index a392fc4..78fa512 100644 +create_dirs_pattern(ifconfig_t, ifconfig_var_run_t, ifconfig_var_run_t) +files_pid_filetrans(ifconfig_t, ifconfig_var_run_t, { file dir }) +allow ifconfig_t ifconfig_var_run_t:file mounton; ++allow ifconfig_t ifconfig_var_run_t:dir mounton; + kernel_use_fds(ifconfig_t) kernel_read_system_state(ifconfig_t) kernel_read_network_state(ifconfig_t) -@@ -279,14 +341,32 @@ kernel_rw_net_sysctls(ifconfig_t) +@@ -279,14 +342,32 @@ kernel_rw_net_sysctls(ifconfig_t) corenet_rw_tun_tap_dev(ifconfig_t) @@ -46269,7 +46260,7 @@ index a392fc4..78fa512 100644 fs_getattr_xattr_fs(ifconfig_t) fs_search_auto_mountpoints(ifconfig_t) -@@ -299,33 +379,51 @@ term_dontaudit_use_all_ptys(ifconfig_t) +@@ -299,33 +380,51 @@ term_dontaudit_use_all_ptys(ifconfig_t) term_dontaudit_use_ptmx(ifconfig_t) term_dontaudit_use_generic_ptys(ifconfig_t) @@ -46327,7 +46318,7 @@ index a392fc4..78fa512 100644 optional_policy(` dev_dontaudit_rw_cardmgr(ifconfig_t) ') -@@ -336,7 +434,11 @@ ifdef(`hide_broken_symptoms',` +@@ -336,7 +435,11 @@ ifdef(`hide_broken_symptoms',` ') optional_policy(` @@ -46340,7 +46331,7 @@ index a392fc4..78fa512 100644 ') optional_policy(` -@@ -350,7 +452,16 @@ optional_policy(` +@@ -350,7 +453,16 @@ optional_policy(` ') optional_policy(` @@ -46358,7 +46349,7 @@ index a392fc4..78fa512 100644 ') optional_policy(` -@@ -371,3 +482,13 @@ optional_policy(` +@@ -371,3 +483,13 @@ optional_policy(` xen_append_log(ifconfig_t) xen_dontaudit_rw_unix_stream_sockets(ifconfig_t) ') diff --git a/policy-rawhide-contrib.patch b/policy-rawhide-contrib.patch index 596ccb2..fb9b995 100644 --- a/policy-rawhide-contrib.patch +++ b/policy-rawhide-contrib.patch @@ -10794,7 +10794,7 @@ index 02fefaa..308616e 100644 + ') ') diff --git a/boinc.te b/boinc.te -index 687d4c4..3c5a83a 100644 +index 687d4c4..f668033 100644 --- a/boinc.te +++ b/boinc.te @@ -12,7 +12,9 @@ policy_module(boinc, 1.1.1) @@ -10887,7 +10887,7 @@ index 687d4c4..3c5a83a 100644 manage_dirs_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) manage_files_pattern(boinc_t, boinc_tmp_t, boinc_tmp_t) -@@ -61,74 +101,48 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file }) +@@ -61,74 +101,49 @@ files_tmp_filetrans(boinc_t, boinc_tmp_t, { dir file }) manage_files_pattern(boinc_t, boinc_tmpfs_t, boinc_tmpfs_t) fs_tmpfs_filetrans(boinc_t, boinc_tmpfs_t, file) @@ -10925,6 +10925,7 @@ index 687d4c4..3c5a83a 100644 -corenet_all_recvfrom_unlabeled(boinc_t) +dev_getattr_mouse_dev(boinc_t) ++dev_rw_dri(boinc_t) + +files_getattr_all_dirs(boinc_t) +files_getattr_all_files(boinc_t) @@ -10984,7 +10985,7 @@ index 687d4c4..3c5a83a 100644 term_getattr_all_ptys(boinc_t) term_getattr_unallocated_ttys(boinc_t) -@@ -137,8 +151,9 @@ init_read_utmp(boinc_t) +@@ -137,8 +152,9 @@ init_read_utmp(boinc_t) logging_send_syslog_msg(boinc_t) @@ -10996,7 +10997,7 @@ index 687d4c4..3c5a83a 100644 tunable_policy(`boinc_execmem',` allow boinc_t self:process { execstack execmem }; -@@ -148,48 +163,61 @@ optional_policy(` +@@ -148,48 +164,61 @@ optional_policy(` mta_send_mail(boinc_t) ') @@ -57009,7 +57010,7 @@ index d78dfc3..40e1c77 100644 -/var/spool/nagios(/.*)? gen_context(system_u:object_r:nagios_spool_t,s0) diff --git a/nagios.if b/nagios.if -index 0641e97..438eeb3 100644 +index 0641e97..f3b1111 100644 --- a/nagios.if +++ b/nagios.if @@ -1,12 +1,13 @@ @@ -57058,12 +57059,10 @@ index 0641e97..438eeb3 100644 + + kernel_read_system_state(nagios_$1_plugin_t) + - ') - - ######################################## - ## --## Do not audit attempts to read or --## write nagios unnamed pipes. ++') ++ ++######################################## ++## +## Execute the nagios unconfined plugins with +## a domain transition. +## @@ -57080,10 +57079,12 @@ index 0641e97..438eeb3 100644 + ') + + domtrans_pattern($1, nagios_unconfined_plugin_exec_t, nagios_unconfined_plugin_t) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Do not audit attempts to read or +-## write nagios unnamed pipes. +## Do not audit attempts to read or write nagios +## unnamed pipes. ## @@ -57160,10 +57161,11 @@ index 0641e97..438eeb3 100644 - files_search_spool($1) allow $1 nagios_spool_t:dir search_dir_perms; + files_search_spool($1) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Read nagios temporary files. +## Append nagios spool files. +## +## @@ -57179,11 +57181,10 @@ index 0641e97..438eeb3 100644 + + allow $1 nagios_spool_t:file append_file_perms; + files_search_spool($1) - ') - - ######################################## - ## --## Read nagios temporary files. ++') ++ ++######################################## ++## +## Allow the specified domain to read +## nagios temporary files. ## @@ -57196,11 +57197,10 @@ index 0641e97..438eeb3 100644 - files_search_tmp($1) allow $1 nagios_tmp_t:file read_file_perms; + files_search_tmp($1) - ') - - ######################################## - ## --## Execute nrpe with a domain transition. ++') ++ ++######################################## ++## +## Allow the specified domain to read +## nagios temporary files. +## @@ -57217,16 +57217,17 @@ index 0641e97..438eeb3 100644 + + allow $1 nagios_tmp_t:file rw_inherited_file_perms; + files_search_tmp($1) -+') -+ -+######################################## -+## + ') + + ######################################## + ## +-## Execute nrpe with a domain transition. +## Execute the nagios NRPE with +## a domain transition. ## ## ## -@@ -170,14 +243,13 @@ interface(`nagios_domtrans_nrpe',` +@@ -170,14 +243,31 @@ interface(`nagios_domtrans_nrpe',` type nrpe_t, nrpe_exec_t; ') @@ -57234,6 +57235,24 @@ index 0641e97..438eeb3 100644 domtrans_pattern($1, nrpe_exec_t, nrpe_t) ') ++###################################### ++## ++## Do not audit attempts to write nrpe daemon unnamed pipes. ++## ++## ++## ++## Domain allowed access. ++## ++## ++# ++interface(`nagios_dontaudit_write_pipes_nrpe',` ++ gen_require(` ++ type nrpe_t; ++ ') ++ ++ dontaudit $1 nrpe_t:fifo_file write; ++') ++ ######################################## ## -## All of the rules required to @@ -57243,7 +57262,7 @@ index 0641e97..438eeb3 100644 ## ## ## -@@ -186,44 +258,43 @@ interface(`nagios_domtrans_nrpe',` +@@ -186,44 +276,43 @@ interface(`nagios_domtrans_nrpe',` ## ## ## diff --git a/selinux-policy.spec b/selinux-policy.spec index f12dbb0..00c614a 100644 --- a/selinux-policy.spec +++ b/selinux-policy.spec @@ -19,7 +19,7 @@ Summary: SELinux policy configuration Name: selinux-policy Version: 3.13.1 -Release: 193%{?dist} +Release: 194%{?dist} License: GPLv2+ Group: System Environment/Base Source: serefpolicy-%{version}.tgz @@ -647,6 +647,15 @@ exit 0 %endif %changelog +* Tue Jun 07 2016 Lukas Vrabec 3.13.1-194 +- Allow boinc to use dri devices. This allows use Boinc for a openCL GPU calculations. BZ(1340886) +- Add nrpe_dontaudit_write_pipes() +- Merge pull request #129 from rhatdan/onload +- Add support for onloadfs +- Merge pull request #127 from rhatdan/device-node +- Additional access required for unconfined domains +- Dontaudit ping attempts to write to nrpe unnamed pipes +- Allow ifconfig_t to mounton also ifconfig_var_run_t dirs, not just files. Needed for: #ip netns add foo BZ(1340952) * Mon May 30 2016 Lukas Vrabec 3.13.1-193 - Directory Server (389-ds-base) has been updated to use systemd-ask-password. In order to function correctly we need the following added to dirsrv.te - Update opendnssec_manage_config() interface to allow caller domain also manage opendnssec_conf_t dirs